Transcription

2 Introduction One concern raised in the aftermath of Election 2000 was the inability of concerned citizens to access and review the source code used in voting systems. There were accusations that certification testing was only black box testing and that non-disclosure agreements signed by those who had access to source code kept the real truth from getting out. That raised a call for the full disclosure of the source code used in voting system software. This call continues to the present day. Voting system vendors are reluctant to disclose intellectual property that requires substantial investments in time and money to create. Long before Election 2000, state officials realized that access to source code could create the opportunity to modify these systems and the distribution of source code was banned or restricted as a security measure. Voting system vendors were viewed with suspicion, and the prices they charged for systems sales, licensing, maintenance and support were widely viewed as excessive. About this time, open source software projects were becoming successful and viewed in the computing world as good alternatives to proprietary systems with licensing fees. Today, proponents of open source voting systems are proposing approaches that range from simply disclosing all of the source code for voting systems to developing and implementing systems that use a collaborative open source development methodology as well as everything in between. There are currently three major election jurisdictions in the United States working to develop their own voting system. Each of them appears to be planning some form of open source disclosure or development, or free software. The January 2014 report by the Presidential Commission on Election Administration states: to usher in the next generation of voting machines, the standards and certification process of new voting technology must be reformed so as to encourage innovation and facilitate the adoption of widely available, off-the-shelf technologies and software-only solutions. 1 Many people believe that the software only solutions called for in the report should be open source voting systems. The goal of this paper is to provide policy makers with a resource to help them understand what is meant by the term open source and illustrate how using open source to develop voting systems might have an impact on regulating, certifying and using voting systems. 1 The American Voting Experience: Report and Recommendations of the Presidential Commission on Election Administration, 2014 Page 4 https://www.supportthevoter.gov/files/2014/01/amer-voting-exper-final-draft pdf

3 Page 2 Definitions Source Code is the form of computer instructions and comments written by a programmer in a programming language such as Visual Basic or C. It contains the algorithms, logical instructions, logical functions and mathematical formulas that operate the software. It should contain comments designed to assist with code review and future revisions of the source code by explaining what the various parts of the source code are doing. Most commercial software developers consider their source code to be a trade secret and an asset they have either created or acquired at significant expense. Object Code is the form of computer software understandable to a computing device. Source code is compiled into object code or is interpreted by an interpreter at run-time. While the computing device understands the object code, it is difficult for humans to read or modify. Most commercial computer programs are only distributed in object code. Closed Source, also known as proprietary source or secret source code, refers to source code that is considered a trade secret and is protected by prohibitions on disclosure, licensing restrictions, copyrights, and/or patents. In general only a small number of individuals in the company that owns the code will be given access to it. Escrowed Source Code is closed source code which a customer or regulatory body requires to be placed into escrow to ensure their ability to maintain the system in the event that the developer of the code ceases to exist or ceases to maintain the system. When a triggering event, such as a bankruptcy of the developer occurs, the escrow agent releases the source code to the customer. Jurisdictions may require escrow as part of their system purchase requirements and states may require escrow as part of their certification requirements. Shared Source is a term used by Microsoft under their Shared Source Initiative. Through the Shared Source Initiative Microsoft licenses product source code to qualified customers, enterprises, governments, and partners for debugging and reference purposes. Licensees are allowed access to code under restricted conditions subject to nondisclosure agreements. 2 Although Microsoft is given credit for creating the term Shared Source, it is an approach that has always been used for systems that were required to be reviewed by third parties, for certifications, or systems sold to clients who required the source code be provided. It is the process that many election jurisdictions have used in certifying voting systems for the last twenty-five years. 2 Microsoft Shared Source Initiative, Microsoft Corporation

4 Page 3 Disclosed Source is code that is considered to be proprietary but is freely shared with interested parties. While it may be freely examined, it is still considered to be the intellectual property of its owner and may be protected by licensing restrictions, copyrights and/or patents. Production of derivative works without a license may be prohibited. Many of the citizens who called for open source after Election 2000 were, in fact, talking about requiring disclosed source for voting systems. Open Source may have many meanings, depending upon who is using the term and the context in which it is used. It is sometimes used for those arrangements defined above as Shared Source or Disclosed Source. The term "open source" usually refers to a license that allows the source code or design information to be used modified and/or shared under defined terms and conditions. One of the earliest definitions of an open source license was the Open Source Initiative (OSI), formed in 1998, as an educational, advocacy and stewardship organization. Their license requires that the code be disclosed and certain distribution and licensing conditions must be met. They define their open source license as follows: Open source is not simply access to the source code. The distribution terms of open source software must comply with the following criteria: 1. Free Redistribution The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale. 2. Source Code The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost preferably, downloading via the Internet without charge. The source code must be the preferred form in which a programmer would modify the program. Deliberately obfuscated source code is not allowed. Intermediate forms such as the output of a preprocessor or translator are not allowed.

5 Page 4 3. Derived Works The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software. 4. Integrity of The Author's Source Code The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software. 5. No Discrimination Against Persons or Groups The license must not discriminate against any person or group of persons. 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. 7. Distribution of License The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties. 8. License Must Not Be Specific to a Product The rights attached to the program must not depend on the program's being part of a particular software distribution. If the program is extracted from that distribution and used or distributed within the terms of the program's license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the original software distribution. 9. License Must Not Restrict Other Software The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be opensource software.

6 Page License Must Be Technology-Neutral No provision of the license may be predicated on any individual technology or style of interface. 3 OSI issues approval of open source licenses for software and licensing agreements that comply with their definition of open source. However, there is no legal requirement that software be approved by OSI, nor does it have to meet the OSI definition of open source, in order to be called open source. 4 Free Software is defined by the Free Software Foundation as: software that respects users' freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, free software is a matter of liberty, not price. To understand the concept, you should think of free as in free speech, not as in free beer. We sometimes call it libre software to show we do not mean it is gratis. 5 And, Free software does not mean noncommercial. A free program must be available for commercial use, commercial development, and commercial distribution. Commercial development of free software is no longer unusual; such free commercial software is very important. You may have paid money to get copies of free software, or you may have obtained copies at no charge. But regardless of how you got your copies, you always have the freedom to copy and change the software, even to sell copies. 6 3 Open Source Definition, Open Source Initiative Licensed under a Creative Commons Attribution 4.0 International License. 4 Frequently Asked Questions, Open Source Initiative Licensed under a Creative Commons Attribution 4.0 International License. 5 What is Free Software? Definition - Free Software Foundation, Inc. Copyright , , 2009, 2010, 2012, 2013, 2015 Free Software Foundation, Inc. https://gnu.org/philosophy/free-sw.html Licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License. 6 What is Free Software? Discussion - Free Software Foundation, Inc. Copyright , , 2009, 2010, 2012, 2013, 2015 Free Software Foundation, Inc. https://gnu.org/philosophy/free-sw.html Licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.

7 Page 6 Although they are often used interchangeably with open source, the Free Software Foundation views its licenses as less restrictive than open source licenses. A significant difference between the two is that open source licenses do not allow the software to be sold or royalties be charged for its use and free software may be sold. Discussion When policy makers discuss the use of, and make decisions regarding the requirements for or allowing or prohibiting open source voting systems, it is critical that all parties are clear on exactly what is meant by open source. Systems marketed and licensed as closed source systems frequently contain some open source elements. The OSI definition of open source allows for the distribution of closed source programs in an open source system. Some of the individuals and organizations that advocate open source for voting systems are, in reality, advocating disclosed source. They would like all source code used in voting systems to be available for inspection by the public, but do not necessarily advocate for open source during the period when the voting systems are under development. Many people use the terms open source and free software interchangeably. In some states, legislators have discussed funding for developing an open source voting system, which, after being fully developed, could be licensed to other jurisdictions to help recover the cost of development. Such a system would not meet the requirements for an OSI open source license but could meet the definition of free software as defined by the Free Software Foundation. There is no requirement that individuals using these terms give meaning to the terms consistent with the definitions. When using these terms in statutes or regulations it is important that the terms used be clearly defined within the body of the document. The debate regarding the merits of closed source verses open source is ongoing. Arguments in favor of closed source include: Other developers, particularly newcomer competitors, will copy and use the code and, from that code, will have a decided advantage in gaining the original developer s knowledge and processes without making an investment in research and development. Knowledge of the code makes it easier for attackers to find and exploit vulnerabilities in the system.

8 Page 7 Users are able to modify the code and put their modifications into production, introducing potential for errors and professional embarrassment. This can also allow them to achieve independence from vendor support and maintenance. Open source allows for unqualified people to examine the code and publish incorrect findings and raise unfounded concerns about the integrity of the system. Royalties from proprietary systems fund professional research and ongoing improvements to the systems. Analysis of the code by others can give rise to a variety of legal and public relations problems, including accusations of copyright infringement, criticism of code structure and disclosure of developer comments within the code that were never meant for publication. Arguments in favor of open source include: Other developers, particularly newcomers can copy and use the code and with the decided advantage of the original developer s knowledge and processes can quickly get up to speed and start helping make improvements to the code. Knowledge of the code makes it easier for white hat attackers to find and help mitigate vulnerabilities in the system. Users are able to make modifications to the code to address bugs or develop enhancements, test their modifications and submit their modifications to the core group of developers for further testing and inclusion in future releases of the system. This can also allow them to independently resolve issues that are unique to their environment. Open source allows for a large number of qualified people to examine the code. As a result, bugs are discovered quickly which allows for significantly more suggestions, improvements and extensions Open source projects benefit from donated programmer time and may be less expensive to develop and maintain. The use of open source code has proven to be successful in numerous major projects. One only has to look to the development of Linux and the Apache Web Server to see the value of this approach.

9 Page 8 The first five arguments in favor of closed source and open source are based upon different views of the same facts. Both approaches can produce high quality products, so there is little point in arguing their relative merits. The best approach for an organization developing a system will depend on the resources available and the comfort level that the project owners and key personnel have with one approach over the other. Developing and maintaining open source systems is a collaborative process. Users and other interested individuals are encouraged to involve themselves as beta testers and co-developers. Most successful open source projects have an organized central control. This is usually a small group of core developers who provide the initial system design and coding, then act as a central point for version control, documentation and communications. The core developers evaluate, then accept or reject contributions and are the authority that defines the official releases of the system. Compliance with the U.S. Election Assistance Commission s Voluntary Voting System Guidelines (VVSG) with open source development presents a challenge. The task of bringing together the efforts of dozens, hundreds, or thousands of programmers to create a single, wellformed usable body of code is difficult. An individual who took part in one project to develop an open source voting system noted that convincing programmers to comply with the VVSG coding standards was difficult. Even within a proprietary organization, and hiring very experienced senior programmers, getting them to understand the importance of, and requirements for, code structure and documentation mandated in the VVSG standards is a daunting task. When utilizing volunteer programmers who possess varying degrees of talent and experience, meeting the standards was the biggest impediment to the project. The open source development model tends to rapidly produce new versions of a system, so it is reasonable to expect that there will be a higher risk associated with ensuring the correct certified version of the system is implemented. User co-developers will have to exercise great care to maintain separate development and production environments and ensure the correct version is installed prior to each election. Licensing open source systems is free and may, or may not, be subject to the restrictions in the OSI license models. Under the OSI licenses, fees or royalties may not be charged for software distribution or use. For private sector voting system businesses dealing with OSI licensed open source systems, licensing fees will no longer be part of their business model. Their revenue must be derived from providing election jurisdictions with operational support, system maintenance and consulting. Systems licensed as free software may be developed in a collaborative manner similar to open source, yet the code may be sold or licensed for use.

10 Page 9 In a collaboratively developed and maintained open source system, the involvement of an active group of user/co-developers should make system maintenance, including identifying bugs, developing bug fixes, improving functionality and implementing new features more efficient. However, without that kind of involvement, and contribution of resources to the system, it may also stagnate and users could be lost to other systems. All voting systems require a high degree of technical support. Half of the nation s counties have less than 16,500 registered voters. Elections in small jurisdictions are run with small or part time staff and rely on vendors for this support. 7 Within the context of open source development, it is highly unlikely that a county with only 16,500 registered voters will have a computer programmer on staff to represent them as a co-developer on their system, or to analyze issues in their elections and communicate them to the rest of the users. If small counties adopt open source voting systems and escape the licensing fees associated with proprietary voting systems, they will need to transfer those resources to staffing for internal support or engaging contractors for support. Whether a state has its own voting system certification program, relies on the US Election Assistance Commission certification program or simply allow purchasing processes to select appropriate systems, regulators and users of voting systems must exercise due diligence to determine whether a particular voting system meets their needs. They must determine that system functions as required by applicable state and federal law, is accurate and reliable. The basis for this determination must be well documented. There is no reason to expect the efforts required to evaluate a voting system and certify it for use within a jurisdiction will be substantively different for open source systems. The evaluation of documentation and artifacts of testing used to determine whether a system is certified must be retained to verify that every system in use within the jurisdiction is identical to the certified system. The process used for this verification will be substantially the same for open source systems and proprietary systems. 7 Mr. Kimball Brace Basic Election Admin Facts, Need for Data June 2014

11 Page 10 Conclusions The use of voting systems with some form of disclosed or open source is probably inevitable. Public concern regarding the integrity of voting systems and their overall transparency will force decision makers to require vendors to disclose at least some of the source code used in their voting systems. Companies that develop and market proprietary systems can use a disclosed source model and should have adequate protection of their intellectual property in existing copyright and patent law. Jurisdictions that wish to develop their own systems will be well served by the free software approach. They can determine system requirements, select members for their core development group then enlist the contributions of user/co-developers. Eventually, they may be able to recover their development costs and, perhaps, the costs of certifying the system through licensing fees for its use. The choice to use a proprietary or open development approach will depend on the resources available to the organization developing the system. Collaborative open source development requires an active, involved group of user/co-developers. Traditional proprietary commercial development takes substantial investment in development, marketing and user support. There is nothing in the methodology of open source development that will diminish the certification requirements or the scrutiny given to systems built on such software. The effort required to evaluate and certify the systems remains the same regardless of how the software was developed, is maintained and supported. Regulators should proceed with caution as they consider drafting legislation that either require or prohibit the use of disclosed source, open source or free software. It is important to ensure that the terms are clearly defined and consistently applied throughout the body of the text.

A microeconomic analysis of commercial open source software development Date: November 7 th 2007 Author: Mathieu Baudier (mbaudier@argeo.org) Abstract The particularity of open source software is how it

THE NATIONAL FREE AND OPEN SOURCE SOFTWARE (FOSS), AND OPEN STANDARDS POLICY DRAFT SEPT 2014 NATIONAL INFORMATION TECHNOLOGY AUTHORITY, UGANDA (NITA-U) Page 1 of 9 DOCUMENT HISTORY Version Change by Date

Proprietary software is computer software which is the legal property of one party. The terms of use for other parties is defined by contracts or licensing agreements. These terms may include various privileges

Open Source and Open Standards This article is a White Paper jointly published OGC and OSGeo. The text was collaboratively edited, reviewed and finalized by more than a dozen active OSGeo and OGC members.

December 2004 Open Source Software: Recent Developments and Public Policy Implications Open source software has become a topic of great interest in the press and among policymakers. Open source software

Status Report Open Source Software in State Government Operations January 2005 State of Hawaii Department of Accounting and General Services Information and Communications Services Division DAGS/ICSD January

Overview of available elearning Platforms (focusing on freeware) Work Package 4 of the Project Blended Learning Quality-Concepts Optimized for Adult Education Compiled and edited by Multilateral Grundtvig

Open Source Development In Practice Danese Cooper, OSI Board Member UNCTAD F/OSS Expert Meeting Geneva, 22 September 2004 What is OSI? A non-profit organization providing leadership for the Open Source

Open Source By: Karan Malik INTRODUCTION Open source is a development method, offering accessibility to the source of a product. Some consider open source as possible design approaches, while some of them

OPEN SOURCE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

THOMSON REUTERS (TAX & ACCOUNTING) INC. FOREIGN NATIONAL INFORMATION SYSTEM TERMS OF USE 1. License and Permitted Use The Foreign National Information System (FNIS) is licensed, not sold. Subject to the

COMESA Guidelines on Free and Open Source Software (FOSS) Introduction The COMESA Guidelines on Free and Open Source Software are a follow-up to the COMESA Regional FOSS Framework of 2009 whose main objective

Open Source Sustainability and RDM Scott Wilson scott.wilson@oucs.ox.ac.uk What does sustainability mean? To be sustainable a project must meet its own costs. Most projects have their initial costs covered

The following is an extraction from Marketing Ingenuity and Invention: an Innovation Guidebook, a publication from the Wisconsin Innovation Service Center. Marketing Ingenuity and Invention an Innovation

What You Should Know About Open Source Software J.D. Marple Silicon Valley Latham & Watkins operates as a limited liability partnership worldwide with an affiliate in the United Kingdom and Italy, where

Issues in Software Licensing, Acquisition and Development July 18, 2013 David Jennings Context For Our Purposes; What s a license? Fundamentally, it is a permission to do something(s). A license conveys

code of Business Conduct and ethics Introduction This document provides information about our Code of Business Conduct and Ethics. All directors, officers and employees are individually and collectively

Security Through Transparency: An Open Source Approach to Physical Security John Loughlin Stanton Concepts Lebanon, NJ jpl@stantonconcepts.us Security through obscurity has never been a sensible approach

I. INTRODUCTION The benefits of commercial and private unmanned aircraft systems (UAS) are substantial. Technology has moved forward rapidly, and what used to be considered toys are quickly becoming powerful

Summary of Results from California Testing of the ES&S Unity 3.0.1.1/AutoMARK Voting System The California Secretary of State tasked Freeman Craft McGregor Group (FCMG) to perform functional testing, accessibility

Acer Legal Information 1. Third Party Software or Free Software License Information Software included by Acer on its products or offered by Acer on its websites for download may contain free or third party

OpenSource_CH03 Page 41 Monday, June 14, 2004 3:54 PM 3 Distribution of Software Contributors and Distributors Open source software is written by computer programmers who generously distribute it to their

Spreadsheet Programming: The New Paradigm in Rapid Application Development Contact: Info@KnowledgeDynamics.com www.knowledgedynamics.com Spreadsheet Programming: The New Paradigm in Rapid Application Development

THE REGISTER OF PEOPLE WITH SIGNIFICANT CONTROL - REGULATIONS Department for Business, Innovation and Skills Consultation Paper Submission by Transparency International UK (TI-UK) July 2015 1 Submission

XANGATI END USER SOFTWARE LICENSE TERMS AND CONDITIONS IMPORTANT: PLEASE READ BEFORE DOWNLOADING, INSTALLING OR USING THE XANGATI, INC. ("LICENSOR") SOFTWARE YOU HAVE LICENSED ("SOFTWARE"). BY EXECUTING

Intellectual Property Protection for Computer Software in the United States How can you protect what you or your client considers novel aspects of your computer software in the United States? What options

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses

- 1. Introduction...1-1.1. The scope of this briefing paper...1-1.2. "Software" defined...1-2. What is software copyright?...2-3. The Community Directive on software copyright...3-3.1. What does software

NEW YORK CITY FALSE CLAIMS ACT Administrative Code 7-801 through 7-810 * 7-801. Short title. This chapter shall be known as the "New York city false claims act." 7-802. Definitions. For purposes of this

I. Introduction s ( University ) policy on intellectual property is intended to encourage, support and motivate research, scholarship, creative activities, innovation and the development of new ideas by

Overview The debate about the advantages of open source versus proprietary data integration software is ongoing. The reality of the situation is that the decision about whether open source or proprietary

Open Source Software used in the product The product contains, among other things, Open Source Software, licensed under an Open Source Software License and developed by third parties. These Open Source

fournova Software GmbH Tower Software License Agreement PLEASE READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. BY USING THE SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS

Open Source Software: Buyer Beware of Custom Development and M&A Transaction Risks By Heather R. Pruger and Adam S. Zarren Does your client develop software for others, or does it purchase customized software

The Essentials Series: Code-Signing Certificates What Are Certificates? sponsored by by Don Jones W hat Are Certificates?... 1 Digital Certificates and Asymmetric Encryption... 1 Certificates as a Form

This list was originally published on http://gnu.org, in 1996. This document is part of, the GNU Project s exhaustive collection of articles and essays about free software and related matters. Copyright

Free Software Foundation recommendations for free operating system distributions considering Secure Boot John Sullivan Executive Director June 30, 2012 1 1 Introduction We have been working hard the last

Rosen_ch10 Page 229 Wednesday, June 23, 2004 10:04 AM 10 Choosing an Open Source License How Licenses Are Chosen I have been involved with the open source community long enough to recognize that decisions

SPECIAL TERMS AND CONDITIONS FOR INFORMATION TECHNOLOGY A. ACCEPTANCE: The College shall commence Acceptance testing within five (5) days, or within such other period as agreed upon. Acceptance testing

ICT Advice Note - Procurement of Open Source October 2011 1. Objectives and Context The objective of this document is to provide high level advice on how to ensure open source software is fairly considered

Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

Chapter 1 CHAPTER 1 Open Source Licensing, Contract, and Copyright Law Open source licensing and development approaches have been challenging and transforming software development for decades. Although

This Software Development Kit End User ( Agreement ) is between Welch Allyn, Inc. ( Welch Allyn ) and the Customer identified in the purchase order ( Customer or You ), and it governs the Software Development

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

REPAIRING THE "ORACLE VM VIRTUALBOX" VIRTUAL MACHINE PROGRAM Objective: If one or more of the features of the "Oracle VM VirtualBox" program fail, you can usually repair it by starting the installation

Turn the Page: Why now is the time to migrate off Windows Server 2003 HP Security Research Contents Introduction... 1 What does End of Support mean?... 1 What End of Support doesn t mean... 1 Why you need

MLS Data Use and License Policy Approved September 2010 Data access and licensing limited to uses permitted by MLS policy. The Multiple Listing Service of the Berkshire County Board of REALTORS complies

Draft for Discussion Quality Assurance and Configuration Management Requirements March 7, 2007 At the December 2006 TGDC Plenary, the TGDC agreed that the ISO 9000/9001 standards should provide the framework